-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
15 changed files
with
23,777 additions
and
23,408 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
{{- $v := .Values }} | ||
{{- if not (eq $v.teamId "admin") }} | ||
--- | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
name: default-ingress-deny | ||
spec: | ||
podSelector: {} | ||
policyTypes: | ||
- Ingress | ||
--- | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
name: default-ingress-platform | ||
spec: | ||
# Match all Pods in this namespace | ||
podSelector: {} | ||
policyTypes: | ||
- Ingress | ||
ingress: | ||
- from: | ||
- namespaceSelector: | ||
matchLabels: | ||
name: istio-system | ||
- from: | ||
- namespaceSelector: | ||
matchLabels: | ||
# FIXME: it seems that knative operator wipes out 'name' label, | ||
# we can still rely on automatic k8s labeling but it has some prerequsites: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#automatic-labelling | ||
# name: knative-serving | ||
kubernetes.io/metadata.name: knative-serving | ||
- from: | ||
- namespaceSelector: | ||
matchLabels: | ||
name: monitoring | ||
podSelector: | ||
matchLabels: | ||
app: prometheus | ||
# - from: | ||
# - namespaceSelector: | ||
# matchLabels: | ||
# name: shared | ||
|
||
{{- range $s := $v.services }} | ||
{{- if not $s.isCore }} | ||
{{- $ingressPrivateMode := dig "networkPolicy" "ingressPrivate" "mode" "denyAll" $s }} | ||
{{- if eq $ingressPrivateMode "allowAll" }} | ||
--- | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
name: {{ $s.name }}-ingress-from-all-teams | ||
spec: | ||
podSelector: | ||
matchLabels: | ||
app: {{ $s.name }} | ||
policyTypes: | ||
- Ingress | ||
ingress: | ||
- from: | ||
- namespaceSelector: | ||
matchLabels: | ||
type: team | ||
{{- else if eq $ingressPrivateMode "allowOnly" }} | ||
--- | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
name: {{ $s.name }}-ingress-allow-only | ||
spec: | ||
podSelector: | ||
matchLabels: | ||
app: {{ $s.name }} | ||
policyTypes: | ||
- Ingress | ||
{{- with $s.networkPolicy.ingressPrivate.allow }} | ||
ingress: | ||
- from: | ||
{{- range . }} | ||
- namespaceSelector: | ||
matchLabels: | ||
name: team-{{ .team }} | ||
{{- if hasKey . "service" }} | ||
podSelector: | ||
matchLabels: | ||
app: {{ .service }} | ||
{{- end }} {{/* hasKey */}} | ||
{{- end }} {{/* range . */}} | ||
{{- end }} {{/* with ingressPrivate.allow */}} | ||
{{- end }} {{/* if ingressPrivateMode */}} | ||
{{- end }} {{/* not $s.isCore */}} | ||
{{- end }} {{/* range services */}} | ||
{{- end }} {{/* if $v.teamId */}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
# This release file define workloads used to verify connectivity between workloads | ||
# | ||
# Usage: | ||
# helmfile -f helmfile.tpl/helmfile-connectivity.yaml apply | ||
# | ||
# Observe status of client Pods with the following command: | ||
# watch 'kubectl get pods -l module=connectivity,type=client -A --sort-by=metadata.name' | ||
# | ||
# The Pod status 'Running' means that client is still attempting to reach out target | ||
# The Pod status 'NotReady' means that connection has succeded and container exited code of 0 | ||
# The Pod status 'Error' means that connection did not succeded thus network policy denies traffic | ||
# | ||
# Example output | ||
# NAMESPACE NAME READY STATUS RESTARTS AGE | ||
# team-a1 client-c1-team-a1-to-s1-team-a1 2/3 Error 0 3m25s | ||
# team-a2 client-c1-team-a2-to-s1-team-a1 2/3 Error 0 3m25s | ||
# team-a1 client-c2-team-a1-to-s2-team-a1 2/3 NotReady 0 3m24s | ||
# | ||
# From above: | ||
# The pod client-c2-team-a1-to-s2-team-a1 was able to connect workload in team-a1 namespace and label app=s2 | ||
# The pod client-c1-team-a2-to-s1-team-a1 was NOT able able to connect with workload in team-a1 namespace and label app=s1 | ||
|
||
|
||
environments: | ||
default: | ||
values: | ||
- teamConnectivity: | ||
- server: | ||
namespace: team-a1 | ||
labels: | ||
app: s1 | ||
clients: | ||
- namespace: team-a1 | ||
labels: | ||
app: c1 | ||
- namespace: team-a2 | ||
labels: | ||
app: c1 | ||
- server: | ||
namespace: team-a1 | ||
labels: | ||
app: s2 | ||
clients: | ||
- namespace: team-a1 | ||
labels: | ||
app: c2 | ||
- namespace: team-a2 | ||
labels: | ||
app: c2 | ||
- server: | ||
namespace: team-a1 | ||
labels: | ||
app: s3 | ||
clients: | ||
- namespace: team-a1 | ||
labels: | ||
app: c3 | ||
- namespace: team-a2 | ||
labels: | ||
app: c3 | ||
- namespace: team-a2 | ||
labels: | ||
app: c3b | ||
- server: | ||
namespace: team-a1 | ||
labels: | ||
app: s4 | ||
clients: | ||
- namespace: team-a1 | ||
labels: | ||
app: c4 | ||
- namespace: team-a2 | ||
labels: | ||
app: c4 | ||
- server: | ||
namespace: team-a1 | ||
labels: | ||
app: s5 | ||
clients: | ||
- namespace: team-a1 | ||
labels: | ||
app: c5 | ||
- namespace: team-a2 | ||
labels: | ||
app: c5 | ||
# - description: s10 does not any ingress except ingress from specific platform apps | ||
# server: | ||
# namespace: team-a1 | ||
# labels: | ||
# app: s10 | ||
# clients: | ||
# - namespace: istio-system | ||
# labels: | ||
# app: ingressgateway | ||
# - namespace: istio-system | ||
# labels: | ||
# app: istiod | ||
# - namespace: monitoring | ||
# labels: | ||
# app: prometheus | ||
# - namespace: shared | ||
# labels: | ||
# app: any | ||
|
||
# - description: s3 allows ingress from any pod from team-a2 namespace | ||
# server: | ||
# namespace: team-a1 | ||
# labels: | ||
# app: s3 | ||
# clients: | ||
# - namespace: team-a2 | ||
# labels: | ||
# app: allowed1 | ||
# - namespace: team-a2 | ||
# labels: | ||
# app: allowed2 | ||
# - namespace: team-a2 | ||
# labels: | ||
# app: denied1 | ||
releases: | ||
- name: inter-team-connectivity | ||
installed: true | ||
chart: ../charts/raw | ||
values: | ||
- ../values/connectivity/connectivity-raw.gotmpl |
Oops, something went wrong.